Speeding Snail Mail's Slow Demise
By Alex Salkever
Chiseled into the granite walls of the General Post Office that takes up an entire block at 8th Avenue and 33rd Street in midtown Manhattan are the immortal words, "Neither snow nor rain nor heat nor gloom of night stays these couriers from the swift completion of their appointed rounds." No mention of anthrax.
Yet the terrifying pathogen has elicited strike threats from the postal union at the U.S. Postal Service's enormous Morgan sorting facility in Manhattan. Understandably so. And that strike, if it happens, could bring mail service to a standstill for Gotham's residents, both businesses and individuals alike. They wouldn't be alone, as U.S. senators, the Supreme Court, and the State Dept. have all seen their mail deliveries interrupted due to the discovery of anthrax spores.
The potential delays for everyone who relies on mail deliveries could add momentum to the ongoing trend of moving business communications into the digital realm. But that means companies need to start thinking about the security of e-mail interaction -- one of the most insecure links in the Internet chain. Numerous security holes have been found in the most popular e-mail client, Microsoft Outlook, which Gates & Co., are working to improve. Archiving and verification systems that make sure critical e-mails are noted, tracked, and stored will gain importance.
The shift from paper to pixels began long before the anthrax scare. Already, thousands of companies undertake sensitive communications with customers and partners via e-mail or other data-exchange systems over the public Internet. Some companies, such as General Electric, have already forced suppliers to switch to electronic transactions.
By various estimates, between 80 million and 110 million Americans regularly use e-mail to communicate. Says Jeff Papows, CEO of secure e-mail service Zixit: "The amount of electronic mail that traverses the Internet today is 2.7 times the size of the paper mail delivered in the U.S."
According to research consultancy Jupiter Media Metrix, U.S. e-mail users will receive 300 pieces of commercial e-mail during 2001, up from 40 in 1999. The tally should leap to over 1,600 by 2005 as more and more direct-marketing missives and other routine correspondence -- billing, account statements, and the like -- go digital. "For direct marketers, it's a very easy calculation. They know how much it costs to send a piece of e-mail and how much revenue comes back," says Jim Nail, an analyst at Forrester Research.
As e-mail replaces paper traffic, that means taking new precautions and installing controls that improve on traditional e-mail. While a host of systems exist, none are perfect or have been adopted as an industry standard.
San Francisco technology law firm Morrison & Foerster uses a United Parcel Service system called Online Courier that can push big case files over the public Internet in encrypted wrappers -- and then send an instant receipt notification. The system can also stop a document before it reaches a recipient, if need be. "We use [UPS] as a document repository for things that require more confidentiality and shouldn't go through e-mail," says Jo Haraf, the firm's chief technology officer.
Other companies are making e-mail more secure by setting up "reciprocal digital certificate" systems. The Food & Drug Administration sends legally binding communications to drug companies in encrypted form using a system provided by Tumbleweed Communications, a content-management outfit. To decrypt that e-mail, a digital certificate is required. The drug companies store a copy of that certificate on their e-mail servers.
When the e-mail leaves the FDA network and travels on the public Internet, it's strongly encrypted. When the message hits a drug company's server, a digital certificate unlocks the code and allows that e-mail to be seen as unencrypted mail anywhere on the company's network.
The process is transparent to e-mail users at the desktop level. That's crucial, says Tumbleweed CEO Jeff Smith. "You can't teach a dog new tricks. [And] you can't expect customers to change their behavior to communicate with you," he says, adding emphatically, "They won't."
That mantra could prove far more important in winning over the most recalcitrant customers -- consumers wary about paying bills online. "People still look at using the computer as a chore," notes Forrester's Nail. And for Joe Internet User, privacy concerns weigh heavily. Why? It's usually obvious when someone has tampered with snail mail. When someone tampers with e-mail, however, the average user finds it almost impossible to tell.
To date, the way companies have dealt with encrypting e-mail is by pasting a hyperlink into an e-mail. That hyperlink, in turn, opens a Web page encrypted with a standard 128-bit Secure Socket Layer (SSL) protocol that serves as a "private tunnel" between the user and the company. That's the way online brokerage DatekOnline -- a Tumbleweed customer -- now delivers notifications to customers, according to Smith. Hundreds of commercial customers, including JP Morgan, Salomon Smith Barney, and others, have adopted this system.
Some security experts bristle the idea of linking e-mail to browsers, a source of some security holes in the past. And relying on a hyperlink also can make for more data management. "The hyperlink is the problem. Somebody has to maintain the Web farm where all these pages are kept when someone links back to it," says Robert Cook, the CEO of secure e-mail company Sigaba.
To counter that potential flaw, several companies recently have come out with approaches they say improve on the hyperlink model by including the entire encrypted message in an e-mail that customers or consumers can control on their desktops. "We send a secure statement, and people have it," explains Cook. "They can put it in a folder, and it's theirs. It's not linked to a Web site, and no one has to store it."
Consumers and businesses always need time to adapt to any new technology, and the transition to secure e-mail will be no exception -- particularly when basic formats and rules underpinning its most essential functions have yet to emerge. Determining those rules and the various situations in which they should apply would likely speed e-mail's adoption more than anything else. But the process will take time -- even though the anthrax threat has accelerated the pace.
Salkever covers computer security issues twice a month in his Security Net column, only on BW Online
Edited by Beth Belton